Teams/Warp Network Policy - Private Network access with a default block all

With the new-ish private access added to Teams, is there a way to create a default block all network policy to a subnet and then allow only specific resources? We have multiple applications that run on various ports. I would like to segment specific traffic to user groups and block the rest.

For instance, we have an internal web application. I would like to allow traffic to 80, 443, but block 3389 for group “Users” . I would like group “Admins” to have access to 80,443, and 3389 to that specific server. The rest of the ports to that specific server I would like blocked.

I would additionally need all Active Directory passed to the specific domain controllers (but I could create that as a rule as well).

I would expect a firewall-esque rule set:
block all to 10.10.10.0/24
pass in <matching criteria {groups = users, admins}> to 10.10.10.13 to port 80, 443
pass in <matching criteria {groups = admins}> to 10.10.10.13 to port 3389

Feasible?

The network rule would be CIDR Range and ports x,y.z and Azure Group ID ne group ID deny. Or create a low priority block all rule with higher priority allow rules for specific configurations.

1 Like

Here is a tutorial you may find useful that walks through what creating a rule like this may look like as well.

I tried the low priority block rule and it seems to stop all traffic. Here’s my policy order:

Gateway>Policies>Network:

  1. Name: Web App
    Expression: SNI is web01.company.com
    AND Destination IP is 10.10.10.13
    AND Destination Port is 80, 443, 3389

  2. Name: Block All
    Expression: Destination IP in 10.10.10.0/24
    Action: Block

If Block All (#2) is enabled, I can’t access anything. If I disable Block All, I can access a different, not explicitly allowed server app01.company.com via rdp (3389).

If the rules are matching Top Down, then I shouldn’t be able to access app01.company.com but still have access to web01.company.com, correct?

I don’t think RDP handshakes the way a web browser does. Or you remove your SNI portion of the rule does it still fail?

Removing SNI seemed to work. I restarted from scratch just to simplify it all:

  1. Name: Web App
    Expression: Destination IP is 10.10.10.13
    AND Destination Port is 80, 443
    Action: Allow

  2. Name: Allow RDP to Web01 for Admins
    Expression: Destination IP is 10.10.10.13
    AND Destination port is 3389
    AND user email is [email protected]
    Action: Allow

  3. Name: Block All
    Destination IP in 10.10.10.0/24
    Action: Block.

This works. The default adding Access> Application>internal application adds both Allow and Block. I think that was causing confusion (either for me or the process). So I deleted the block policies that were added and have just explicit allow with block all last. I can’t RDP anything that isn’t explicitly allowed. (I can’t access anything that isn’t explicitly allowed).

So now the next step is how to make the “Enable WARP client session duration” work correctly, but that’s a different question.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.